Policy based dual router
My LAN has two WAN's each coming in via a different router, one pfSense and the other a Vigor job. Currently the two routers are unaware of each other, each being the default route for some subset of the LAN's hosts. Typically, hosts using DHCP will see the pfSense router/WAN as their default route, and other hosts using a static assignment will see the Vigor as default route.
It works well, but what I want to do now is to have hosts using pfSense as the default route to send some traffic out of the Vigor gateway. It seems simple enough to me: a firewall rule matching traffic from host x to address y gets redirected via the Vigor, but I can't set this in in pfSense because it seems only to want to use a WAN/OPT port as a gateway and won't allow some other LAN address to be used. Is that correct, or am I missing some (possibly well hidden) option?
Yeah, that's correct. Currently that's a limitation of our policy routing.
What I would suggest is putting the Vigor gateway off of a dedicated OPT interface, and use pfsense for the gateway for everything, static or dynamic. Then you can use policy routing to direct traffic as you wish.
OK, thanks. I don't really want to chain either router off the other, because that defeats the idea of having them separate :)
Is this policy thing likely to change or is it pretty much cast in stone?
If an interface has a gateway then you can route traffic out of it.
If the interface has no gateway then its just a LAN interface.
If you want pfSense to do the routing, and you want it to sometimes send traffic through the vigor then you need to conect the two directly.
I'm pushing to have it changed in a future release to allow policy routing to any address you desire, but no ETA on that. Possibly for 1.3, maybe not until after that.